The age of hybrid warfare – risks of harm and escalation

The world no longer needs to wonder or speculate about what “cyber warfare” will look like. It is here. For many, the tragic and inexcusable invasion in Ukraine is immediately reminiscent of warfare and territorial conquest in Europe of previous generations. However, those in the technology industry cannot avoid recognizing a new element that makes this war different from any that has come before – the cyber dimension. As the digital aspects of this war continue to evolve, there will need to be new forms of cooperation to address an unprecedented challenge. This includes cooperation with the technology industry that is already working to detect, defend and disrupt attempts to attack peaceful technology to cause harm. Moreover, the international community must do more to deter reckless behavior online to avoid the most damaging cyberattacks and the potential for unintended and catastrophic escalation.

For Cybersecurity Tech Accord signatories, the highest priority will continue to be doing everything we can to protect our respective customers who may be impacted by cyberattacks employed in the war. This obligation cuts to the core of our collective commitment to protect our users and customers everywhere. However, this war should also light a fire under policy efforts at the United Nations (UN), in regional bodies, and in capitals to clarify and uphold international law online, develop and reinforce necessary norms for state behavior online, and promote transparency in enforcement. Cyberspace has emerged as a robust domain of conflict and, as with every other domain, we need clear and enforceable rules to build trust and avoid the worst outcomes.

The Cybersecurity Tech Accord signatories have unique insights and responsibilities

Due to its geopolitical significance, positioned between the NATO alliance and Russian Federation, Ukraine has unfortunately long been a prominent target for state-sponsored cyberattacks. In fact, a number of Cybersecurity Tech Accord signatories have sounded the alarm on this issue for years. In 2016, FireEye (now Mandiant) called attention to the activity of “Sandworm,” a Russia-linked threat actor that had downed Ukrainian power systems. This same threat actor would, a year later, instigate the “NotPetya” attack that would become the most costly cyberattack in history. Last year, the Microsoft Digital Defense Report highlighted Ukraine as one of the most targeted countries by nation-state cyberattacks, with nearly one-in-five observed attacks targeting the country. In the weeks prior to the invasion, Microsoft and ESET published reports on data-wiping malware deployed against government agencies in Ukraine. Meanwhile Mandiant has now observed three primary stages of cyber operations aligned closely with Russian military and diplomatic actions and activities in the lead up to hostilities and throughout the war:

• Stage 1: Strategic cyber espionage focused on Ukraine and EU / NATO government bodies
• Stage 2: Prepositioning of disruptive cyber effects in critical infrastructure
• Stage 3: Persistent cyberattacks as part of kinetic operations throughout invasion

While many of these companies are competitors, there has always been cooperation and alignment across the community of defenders working to identify and disrupt the most sophisticated malicious actors seeking to cause harm. The cybersecurity challenges in Ukraine have only grown since the invasion began, alongside private sector support as a watchdog and defender. Microsoft recently published a report capturing the breadth of Russian cyberattacks targeting Ukraine that it has observed, including the 40% of destructive attacks which have targeted organizations in critical infrastructure sectors. Another report by ESET calls attention to a recent attack on the Ukrainian energy sector, once again attributed to Sandworm, which was thwarted via cooperation between the company and CERT-UA. And TrendMicro has been cataloguing cyber operations they have observed on both sides of the conflict. Cyberattacks that are now employed in tandem with kinetic attacks in this war and call on the technology industry to live up to its responsibilities, as expressed in the principles of the Cybersecurity Tech Accord – strong defense, no offense, capacity building, and collective action.   

The dangers of unintended escalation

Russia invaded Ukraine on February 24, after weeks of positioning forces along its borders, formally violating Ukrainian sovereignty and initiating an armed conflict. However, there was ample evidence of conflict in the days and even years leading up to this invasion, given the volume of nation state cyberattacks against targets in Ukraine. And as cyberspace has become an increasingly critical domain of human activity, almost certainly Ukrainian sovereignty was violated well before any actual invasion. This includes when Ukrainian critical infrastructure, like power systems, were targeted in attacks by foreign adversaries. While these previous cyberattacks did not appear to precipitate retaliation from Ukraine’s government, it is not hard to imagine how they could have, or how another country in a similar situation would feel compelled to respond to such aggressions, either in cyberspace or in a kinetic domain.

Unfortunately, it seems more than reasonable to assume that it is precisely because of the ambiguity of expectations in cyberspace that state-sponsored cyberattacks against Ukraine were preferred tactics in recent years. Without a prescribed response to the more unprecedented actions, even when they were quite damaging, adversaries could assume they would get away with it.  While cyberattacks have not been linked directly with physical damage or loss of life in Ukraine, they enable the military campaign and can uniquely impact unintended targets, putting innocent civilians and non-combatants at risk. In addition to the ongoing, observed pro-Russia influence campaigns such as Secondary Infektion targeting Ukrainian audiences with disinformation, cyberattacks on public government resources and media organizations can play a psychological role that extend beyond military targets to sow chaos in the populace.

NATO and other actors have carefully calibrated response options for most contingencies but should continue to focus on mitigation techniques related to cyberattacks. This includes determining thresholds for enhanced support and integration for countries under threat and attack; potentially establishing a joint collaborative entity at the Alliance level to coordinate pre-planning and preparatory actions before, during, and after a major cyber incident; enhancing cyber threat information sharing agreements between Alliance members; buttressing the public-private partnership with consistent, persistent engagement; and reinforcing explicit norms in cyberspace. The ever-present threat in the background of this war is the potential for escalation and entanglement to draw NATO and Russian forces into direct armed conflict. Now more than ever it is critical for the international community to work collectively to leverage respective public and private sector expertise to build and enhance cybersecurity capacity and resiliency.

These are the eventualities that the international community must consider. In late March, U.S. President Joe Biden issued a statement putting American critical infrastructure providers on high alert about potential cyberattacks from Russia in retaliation for U.S. support for Ukraine. Russia has developed and demonstrated its capability to carry out serious attacks for several years. This includes successfully infiltrating critical infrastructure all over the world and have developed dangerous tools for manipulating industrial control systems like TRITON and INCONTROLLER. Using these tools and accesses, attackers could render major critical systems inoperable, cause serious cascading effects across the economy and society, and even put lives in danger. And once again opening the door to further escalation.

The road ahead… is bumpy

Sadly, there are no quick fixes to these issues, and for the time being as it relates to the war in Ukraine the name of the game will need to be triage and de-escalation. For the private sector, this includes adhering to government-imposed sanctions and flagging cyber operations as they come to our attention. Companies can also help respond as appropriate to cybersecurity challenges to protect their customers – including by responsibly disrupting attacks in partnership with government stakeholders. The whole world needs to be pushing for a speedy and peaceful resolution to this conflict; one which prioritizes human life and discourages reckless and bellicose behavior in the future. This includes discouraging the wontan use of cyberattacks against adversaries.

Amid this senseless and unnecessary war, there is perhaps an opportunity to recognize that we have finally, as an international community, touched a hot stove in the use of offensive cyber capabilities. The potential for collateral damage and unintended escalation posed by these tools absent clear and enforceable expectations and consequences is an intolerable risk. The ongoing deliberations surrounding responsible state behavior in cyberspace in the UN’s Open-Ended Working Group have never been more important. Moreover, the UN Security Council needs to live up to its mandate to maintain international peace and security, which includes addressing the rising number of nation state cyberattacks that put innocent people at risk. We can no longer ignore cyberspace for what it is in the 21^st century – a domain of conflict – and as with any other domain of conflict, it requires clear rules for responsible behavior, red lines, and consequences for bad actors. Ambiguity is the enemy.

Governments must prioritize establishing and strengthening compliance with international law and norms online, and this must include greater cooperation with the private sector moving forward. The tech industry clearly has a role to play. Looking ahead, to bring greater stability and security in cyberspace, our top priorities as an international community should be:

1. Respect for International Humanitarian Law (IHL) – The armed conflict in Ukraine requires combatants on both sides to adhere to IHL both in physical and digital domains. This includes protections for humanitarian aid and aid workers, as well as for civilians, refugees, prisoners and other non-combatants. The role of IHL in cyberspace was expressly referenced in the consensus report 2021 report of the UN Group of Governmental Experts on information security, emphasizing that principles of humanity, necessity, and proportionality must also be observed online.
2. Clarity on other international law obligations in cyberspace – While there continues to be agreement among governments that international law applies online, there is much less consensus on how it does specifically. This has resulted in important questions that, left unresolved, make the domain of conflict less predictable and cyberspace less secure. For example, how are actions of cyber mercenaries governed in conflict? And what are the limits of state sovereignty online?
3. Transparency in enforcement – States must do more to not simply attribute state-sponsored cyberattacks, but to enumerate specifically which international expectations (norms and/or laws) have been violated by such attacks. Moreover, such infractions need to invite transparent, proportionate and non-escalatory consequences to strengthen international expectations online. Absent enforcement and unambiguous consequences, we cannot expect governments to change their decision making when it comes to cyber operations.
4. Consider applicable new norms and expectations – While the existing framework of 11 UN-recognized norms for responsible state behavior online are an important foundation, they are by no means comprehensive or exhaustive. From the perspective of the tech community, these norms leave important elements of the digital ecosystem vulnerable to attack. This includes, for example, state-sponsored cyberattacks on the software update process which have previously put many thousands of organizations at risk. This same concern applies to numerous other core elements of the digital ecosystem that are not currently protected under existing norms.

Build space for multistakeholder inclusion – It is obvious by now that the technology industry, and the wider multistakeholder community, must have a voice in deliberations around rules for responsible behavior in this new domain of conflict. While states will always be ultimate decision makers when it comes to matters of peace and security, there are simply too many overlapping equities and responsibilities in cyberspace for these other stakeholders to not have a voice in the discussions.